North Korean military blamed for “wiper” cyber attacks against South Korea

The South Korean government is pointing a finger toward Pyongyang in its assessment of last month's cyber-attacks on banks and media companies that affected thousands of computers and took electronic banking sites and ATM networks offline.

A report by South Korea's Ministry of Science, Information and Computer Technology, and Future Planning found evidence that the attack was carried out by North Korea's military intelligence, otherwise known as its "general reconnaissance bureau." The March 20 attack—which spread "wiper" malware that deleted the master boot record of PCs and attempted to delete volumes from Unix and Linux servers they were connected to—"resembled North Korea's past hacking patterns," a ministry spokesperson said in a Wednesday press briefing.

The attack targeted private citizen's computers as well as the website of an anti-North Korean organization and South Korean broadcaster YTN. Forensic evidence from it pointed directly to North Korean involvement. Six computers located at North Korean IP addresses were involved in the spreading of the malware used in the attacks, either directly or through proxies in China. Based on 76 malware samples collected by the investigation, the attack was planned at least eight months ago, when the code was spread to victims' PCs. This was largely accomplished through e-mail attachments disguised as bank account statements.

The cyber attacks took place as North Korea ramped up its threats against South Korea and the US during joint military exercises. North Korea claims that it has been the victim of cyber-attacks by the US and its allies; Anonymous and numerous other "hacktivists" have taken credit for ongoing hacks of North Korean websites operated outside of North Korea.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.